Win2003 server: certificate templates

  • Thread starter Thread starter laurent
  • Start date Start date
L

laurent

Hi,

Thanks for your help with my last questions about the certificates
renewal for a standalone CA. I chose to reenroll them.
I'm now doing some tests on a windows server 2003 enterprise CA and I
have a few questions.
I create some server certificates for machines that need to establish
ssl connections.
Here are some questions about certificates templates:
I created a new certificate template "serverCert".

1)I have a user toto who is identified on my domain, and who can use
this certificate template. I succeeded in getting a certificate with
this new template through the web enrollment page with this user but I
cannot access "serverCert" through the mmc panel.
The only templates I'm prompted with are EFS and USER
So is there a way to access this new certificate template via the mmc panel?

2)As I received a new certificate with the Web enrollment page, I saw
some unusual oids like this one:
1.3.6.1.4.1.311.21.7 and this one 1.3.6.1.4.1.311.21.10.
I did some research, and the first one seems to be the certificate
template id, and I don't know the role of the second one.
Are these oids necessary, if not is there a way to remove them?
Indeed I'm not sure if it will work with the servers.


Thanks,
laurent
 
Laurent, machines can enroll under their own context. Given an Enterprise
CA, you can add the machine to the template and it can autoenroll for the
certificate. The user does not have to intervene. I obviously don't have the
full context here, but it seems easier that way.

For your second question, 1.3.6.1.4.1.311.21.10 is application policies, a
Microsoft extension. It should be benign. You can make sure that there are
no application policies enabled in the template.
 
The servers are running under UNIX, and I decided to request the
certificates with the mmc tool on a windows XP or 2000 computer ( I
already did some tests with the web enrollment).
After obtaining the certificates I export them on the servers.

I used the certificate user snap-in in the mmc panel to request a
certificate.
I created a "serverCert" template by modifying the "computer" template,
but I cannot access "serverCert" through the mmc panel.
I checked the rights on the certificate template and I have the right to
enroll.
To be able to request this new certificate template via mmc, are there
any constraints? Do you have to duplicate specific templates, in order
to access them?

Thanks,
laurent

Laurent, machines can enroll under their own context. Given an Enterprise
CA, you can add the machine to the template and it can autoenroll for the
certificate. The user does not have to intervene. I obviously don't have the
full context here, but it seems easier that way.

For your second question, 1.3.6.1.4.1.311.21.10 is application policies, a
Microsoft extension. It should be benign. You can make sure that there are
no application policies enabled in the template.



Thanks for your help with my last questions about the certificates
renewal for a standalone CA. I chose to reenroll them.
I'm now doing some tests on a windows server 2003 enterprise CA and I
have a few questions.
I create some server certificates for machines that need to establish
ssl connections.
Here are some questions about certificates templates:
I created a new certificate template "serverCert".
Click to expand...
 
The best way will be to enroll from the web page. You should be able to do
this directly from the UNIX system. The problem is that you are trying to
request a machine certificate from a user account.
 
Laudon said:
The best way will be to enroll from the web page. You should be able to do
this directly from the UNIX system. The problem is that you are trying to
request a machine certificate from a user account.
Click to expand...
You are right, but as I was doing some tests, I wanted to try the mmc too.
Anyway when I did my tests, I noticed that when you use templates and
you want to enroll through the mmc you can't specify completely a new DN.
You must use the AD (or this template will not be available), that will
fill the certificate with either infos about the user account or the
computer account which is used to request the certificate. (Well I'm not
quite sure about this)
Hence the web enrollment seems to be the best way to do a request for a
server not in the domain.

Thanks for your help,
laurent
 
Back
Top